SHA1 Password Encryption

ExpressionEngine uses the Secure Hash Algorithm (SHA1) for password encryption. SHA1 is widely used by the cryptographic community, and is trusted as one of the most secure one-way encryption schemes in the world.

SHA1 produces a 40 character, 160 bit message that is computationally infeasible to crack. Not even a theoretical decoding scheme exists. SHA1 is very secure against brute force collision and inversion attacks. Most web applications encode passwords using MD5, instead of SHA1. MD5 produces a 128 bit message, which has recently been shown to be vulnerable to collision search attacks.

A hacker would need over a million years of continuous computation to guess well chosen passwords encrypted with SHA1.